Let’s start with something most people in a boardroom won’t say out loud.
A company spends money on the things that make money. That’s not a flaw, that’s the job. Executives get paid, in large part, on profit. Stock goes up, bonuses go up. So when a leader is deciding where the next dollar goes, they are quietly asking one question: Will this dollar come back with friends?
Privacy and data protection have a hard time answering that question with a clear yes. So the dollar goes somewhere else.
That’s the uncomfortable truth underneath every “we’ll get to it next quarter.” It isn’t that executives are reckless or don’t care. It’s that the scoreboard they’re judged on doesn’t have a column for “didn’t get sued” or “didn’t get investigated by the authorities” Those wins are invisible. And invisible wins don’t show up in a compensation review.
I read a thoughtful piece in the IAPP recently asking why it’s still so hard to get corporate buy-in for privacy compliance, even with enforcement ramping up and AI pouring fuel on the fire. It noted that privacy compliance still doesn’t get the same boardroom urgency as anti-money-laundering rules or antitrust enforcement. The article is right about the symptoms. I want to talk about the disease. iapp
Why privacy loses the budget fight
Picture two people walking into the CFO’s office on the same morning.
The first one says: “Give me $200,000 and I’ll bring in $600,000 in new sales.” Easy yes.
The second one says: “Give me $200,000 and… nothing bad will happen. Probably. Eventually. Maybe. I can’t tell you exactly what or when.”
You already know who wins that meeting. And here’s the part privacy people hate to admit – the CFO isn’t wrong to hesitate. The second pitch is a bad pitch. It asks for real money and offers a fuzzy promise in return.
So privacy gets treated like buying insurance for a house fire nobody in the neighbourhood has had yet. As I like to say, not my circus, not my monkey, and that’s exactly the trap. Every department looks at privacy and decides it belongs to someone else. Privacy overlaps with security, marketing, IT, HR and legal, and when ownership is unclear, accountability spreads out so thin that nothing actually moves. Everyone assumes it’s another department’s monkey. So the monkey just sits there. iapp
A few other things make it worse, and the IAPP piece named them well:
It’s genuinely hard to explain. You’re not dealing with one law, you’re dealing with dozens of overlapping, sometimes contradictory rules across different places, and that’s tough to squeeze into a three-minute pitch for a CEO. Antitrust has bright lines. Privacy has a moving target. iapp This can be overcome working with professionals who know how to select the highest bar (likely GDPR) and then add isolated elements to comply with regional laws. (i.e. add a Do Not Sell My Data button to the website to satisfy CPRA).
There’s no obvious boogeyman. Unlike sanctions violations where the penalties are huge and well-publicized, privacy enforcement has been more scattered across different regulators and legal theories, which makes leadership say “show me the company in our space that got hit”, and that’s a hard question to answer with one tidy example. iapp
And the most dangerous line of all: if nobody in your industry has been sued or fined, there’s an assumption that the current approach must be good enough. But here’s the thing, your competitor not getting caught doesn’t mean their practices are compliant. It just means the bill hasn’t arrived. As I often say, No good picking up speed if you’re on the wrong road. A whole industry can be speeding down the wrong road together and feeling great about the pace. iappiapp
Why “it costs shareholders money” is only half the math
Canada’s Privacy Landscape in 2026: A Gap in Strategy between the “Aspiration of Policy” and the “Reality of Business”
Year-End Evaluation for Business Owners By Derek Lackey, Managing Director, Newport Thomso…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
